Kee Vault Privacy Statement

Effective date: 31st Jan 2019

Thanks for entrusting Kee Vault with your personal information. Holding onto your private information is a serious responsibility, and we want you to know how we’re handling it.

The short version

We only collect the information you choose to give us, and we process it with your consent, or on another legal basis; we only require the minimum amount of personal information that is necessary to fulfill the purpose of your interaction with us; we don’t sell it to third parties; and we only use it as this Privacy Statement describes.

Of course, this doesn’t tell you everything, so please read on for more details!

The medium version

Because we think this is really important, you will see this same information directly on the registration page so feel free to skip to the full version below.

Your email address is securely sent to a Kee Vault server (a computer on the internet) and immediately encrypted so that no-one can view it, even if the Kee Vault account database is illegally accessed. Our advanced personal data protection solution means that even when you next sign in to Kee Vault, your email address is not transmitted.

We will share your email address only with 3rd parties that are essential to the operation of the Kee Vault service. For example, for payment processing. We demand the highest level of security from these recipients of your personal data.

Potentially personally identifiable information is only kept for as long as is needed for us to deliver the service to you and meet our legal obligations. For example, the server logs IP addresses as part of protecting your account from unauthorised access attempts.

To improve Kee Vault for you, we record anonymous usage data across keevault.pm and associated websites. This never includes personally identifiable information (or passwords!) and is never shared.

To protect against malicious attempts to deanonymise information and to enhance your security, your device may participate in a private communication network that includes other Kee Vault or Kee browser addon users. Any information sent using this network will be kept secret and have a negligible impact on your device performance and data costs.

We and/or our essential 3rd party partners will send you emails that relate to critical service or security issues as necessary. Receiving other emails is optional.

The full version

Definition of “User Personal Information”

This is any information about one of our users which could, alone or together with other information, personally identify him or her. Information such as an email address is an example of “User Personal Information.” User Personal Information includes Personal Data as defined in the General Data Protection Regulation (GDPR).

User Personal Information does not include aggregated, non-personally identifying information. We may use aggregated, non-personally identifying information to operate, improve, and optimize our website and service.

What information Kee Vault collects and why

Information from website browsers

If you’re just browsing the website, we collect the same basic information that most websites collect. We may use common internet technologies, such as cookies and web server logs. This is stuff we collect from everybody, whether they have an account or not.

The information we collect about all visitors to our website includes the visitor’s browser type, language preference, referring site and the date and time of each visitor request. We also collect potentially personally-identifying information like Internet Protocol (IP) addresses.

Why we collect this information

We collect this information to better understand how our website visitors use Kee Vault, and to monitor and protect the security of the website.

Information from users with accounts

If you create an account, we require some basic information at the time of account creation. We will ask you for a valid email address. Your password gives you access to your account as well as your encrypted Vault filled with your passwords.

Your password is never sent to Kee Vault (we use modern security techniques like SRP to accurately authenticate you without needing to ever see it).

Why we collect this information
  • We need your User Personal Information to create your account, and to provide the services you request, including to provide the Kee Vault service, or to respond to support requests.
  • We use your User Personal Information, specifically a pseudo-anonymous version (one-way cryptographic hash) of your email address, to identify you on Kee Vault.
  • We will use your email address to communicate with you, if you’ve said that’s okay, and only for the reasons you’ve said that’s okay. Please see our section on email communication for more information.
  • We make limited use of your User Personal Information for internal purposes, such as to maintain logs for security reasons, for training purposes, and for legal documentation.
  • We limit our use of your User Personal Information to the purposes listed in this Privacy Statement. If we need to use your User Personal Information for other purposes, we will ask your permission first.

Under certain international laws (including GDPR), Kee Vault is required to notify you about the legal basis on which we process User Personal Information. Kee Vault processes User Personal Information on the following legal bases:

  • When you create a Kee Vault account, you provide your email address. We require this for you to enter into the Terms of Service agreement with us, and we process this on the basis of performing that contract. We also process your email address on other bases. If you have an Active Kee Vault Subscription, there will be other data elements we must collect and process on the basis of performing that contract. Kee Vault does not collect or process a credit card number, but our third-party payment handlers do.
  • When you fill out the information in your support profile, you have the option to provide User Personal Information such as your full name. We process this information on the basis of consent. All of this information is entirely optional, and you have the ability to access, modify, and delete it at any time.
  • Generally, the remainder of the processing of personal information we perform is necessary for the purposes of our legitimate interests. For example, for security purposes, we must keep logs of IP addresses that access Kee Vault.

What information Kee Vault does not collect

We do not intentionally collect sensitive personal information, such as government ID numbers, genetic data, health information, or religious information. Although Kee Vault does not request or intentionally collect any sensitive personal information, we realize that you might store this kind of information in your account. If you store any sensitive personal information in your Vault, you are responsible for complying with any regulatory controls regarding that data.

If you’re a child under the age of 13, you may not have an account on Kee Vault. Kee Vault does not knowingly collect information from or direct any of our content specifically to children under 13. If we learn or have reason to suspect that you are a user who is under the age of 13, we will unfortunately have to close your account. We don’t want to discourage you from improving your online security, but those are the rules. Please see our Terms of Service for information about account termination. Other countries may have different minimum age limits, and if you are below the minimum age for providing consent for data collection in your country, you may not use Kee Vault without obtaining your parents’ or legal guardians’ consent.

How we share the information we collect

We do share User Personal Information with your permission, so we can perform services you have requested or communicate on your behalf. Additionally, you may indicate, through your actions on Kee Vault, that you are willing to share your User Personal Information. We will respect your choices.

We do not share, sell, rent, or trade User Personal Information with third parties for their commercial purposes.

We do not host advertising on Kee Vault.

We do not disclose User Personal Information outside Kee Vault, except in the situations listed in this section or in the section below on Compelled Disclosure.

We do share certain aggregated, non-personally identifying information with others about how our users, collectively, use Kee Vault, or how our users respond to our other offerings. For example, we may compile statistics on the number of active users or approximations of the quantity of stored passwords. However, we do not sell this information to advertisers or marketers.

We do share User Personal Information with a limited number of third party vendors who process it on our behalf to provide or improve our service, and who have agreed to privacy restrictions similar to our own Privacy Statement by signing data protection agreements. Our vendors perform services such as payment processing, customer support ticketing, hosting infrastructure, network data transmission, and other similar services. When we transfer your data to our vendors we remain responsible for it and always transfer the minimum amount of data possible. While Kee Vault processes all User Personal Information in the United States, EU or UK, our third party vendors may process data outside of these locations.

We may share User Personal Information if we are involved in a merger, sale, or acquisition. If any such change of ownership happens, we will ensure that it is under terms that preserve the confidentiality of User Personal Information, and we will notify you on our website or by email before any transfer of your User Personal Information. The organization receiving any User Personal Information will have to honor any promises we have made in our Privacy Statement or in our Terms of Service.

Kee Vault applications

You may also have the option of adding applications from Kee Vault, such as browser extensions, desktop or mobile apps/helpers, or other account features, to your account. These applications may have their own terms, Privacy statement and may collect different kinds of User Personal Information; however, we will always collect the minimum amount of User Personal Information necessary, and use it only for the purpose for which you have given it to us.

How you can access and control the information we collect

Access, update, alter or delete your personal information by signing in to Kee Vault and visiting your Account Settings page. Some information is managed directly through that page and in other cases you will be able to follow the links/buttons to the relevant page.

Data portability

You can save a copy of your data at any time from the Settings page for your Kee Vault. The data format is KDBX, a standard, encrypted and widely supported format specialised for password storage.

Data retention and deletion of data

Generally, Kee Vault will retain User Personal Information for as long as your account is active or as needed to provide you services.

We may retain certain User Personal Information indefinitely, unless you delete it or request its deletion. For example, we don’t automatically delete inactive user accounts, so unless you choose to delete your account, we will retain your account information indefinitely.

You can cancel your Subscription at any time by going into your Account settings. The Subscription details screen provides a simple cancellation link. We are not able to cancel Accounts in response to an email or phone request.

Upon receipt of your cancellation request we will mark your Subscription as “Pending Cancellation”. Your Subscription will then continue until the end of your current Billing Term when it will then become “Cancelled”. You can undo your cancellation request at any point during this “Pending Cancellation” period.

We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements, but barring those requirements, we will delete your email address, encrypted passwords and any payment details held at our payment partners within 180 days of cancellation or termination (though some information may remain in encrypted backups). This information can not be recovered once your Account is cancelled.

Our use of cookies and tracking

Cookies

Kee Vault avoids the use of cookies wherever possible.

Our network provider (CloudFlare CDN) uses cookies to identify a device, for security reasons.

To make interactions with our service easy and meaningful, we use local storage (such as HTML5 localStorage) to enable offline access, remember your preferences, and provide information for future development of Kee Vault.

By using our website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept cookies or local storage, the Kee Vault Service may malfunction or not work at all.

Tracking and analytics

We use an analytics system to help us evaluate our users’ use of Kee Vault; compile statistical reports on activity; and improve our content and website performance.

A unique random identifier will be created for your account and used on each of your devices to ensure that the anonymous data from your account is correctly associated together. Kee Vault does not store or otherwise have any access to the data that would be required to use this identifier to identify you or any of your personal information, so even security breaches of multiple Kee Vault services will have no effect on your privacy.

None of this anonymous data is ever shared, although we may share information relating to aggregations of many anonymous identifiers.

Unlike nearly all websites, this is a private analytics system (we do not share your online movements with Google via Google Analytics, for example).

We do not permit third parties other than our service providers to track Kee Vault users’ activity over time. We do not track your online browsing activity on other online services over time. We therefore have no need to, and do not, respond to your browser’s Do Not Track signal.

Note that if you have accessed other websites on the kee.pm domain before mid-March 2019, you may have inactive Google Analytics cookies on your system which are safe to ignore or remove as you prefer.

How Kee Vault secures your information

Kee Vault takes all measures reasonably necessary to protect User Personal Information from unauthorized access, alteration, or destruction; maintain data accuracy; and help ensure the appropriate use of User Personal Information.

In the event of a data breach that affects your User Personal Information, we will act promptly to mitigate the impact of a breach and notify any affected users without undue delay.

Transmission of data on Kee Vault is encrypted using SSH, HTTPS, and SSL/TLS. We hold your email address in an encrypted state at all times barring the transient need for access, for example when sending you a message to your email address. Stored data is encrypted using AES-256; some transmitted data is also encrypted using AES-256 before transmission over TLS (double encryption).

Your Vault data is AES-256 encrypted on your local machine before being transmitted for synchronisation to your other devices. It is then encrypted again while stored in our cloud where it awaits your next sign-in request.

Private communication network

To protect against malicious attempts to deanonymise information and to enhance your security, your device may participate in a private communication network that includes other Kee Vault or Kee browser extension users.

Messages sent on this network will be encrypted using techniques to ensure the contents of the messages can only be read by their intended recipient, even if those messages pass through multiple intermediate recipients on the way to their destination.

By virtue of joining this network, your device will probably send and receive additional data than would otherwise be required for the delivery of the application itself and direct communication with the Kee Vault cloud.

The precise technical details of the form and purpose of these messages may vary but we will always ensure that they serve these broad purposes such that they are justified legally and morally under the basis of being essential to our contract for the supply of a password management service:

  1. Improves your security or privacy - We see this encrypted network as an innovative way to enhance your security and privacy beyond what is possible without the use of the network. We will only ever utilise the network if we are able to justify that such utilisation improves your security or privacy.
  2. Minimal data usage - We will only send what is required and will always ensure that in comparison to the data usage of the rest of the Kee Vault service, the data usage will be negligible both in terms of bandwidth usage and any metered costs you incur from your network supplier; if technically feasible we will use best efforts to deliver data when an unmetered internet connection is available.

Kee Vault’s global privacy practices

We store and process the information in several locations in accordance with this Privacy Statement (our subprocessors may store and process data elsewhere).

We work hard to comply with the applicable data privacy laws wherever we do business and strive to go beyond the minimum standards required by even the strictest international policies.

Kee Vault’s primary storage and processing location is the United Kingdom, currently a part of the European Union. In future, we may store and process data elsewhere in the EU. We may also store, but not process, encrypted data in the United States. In all cases, this storage and processing adheres to the EU GDPR requirements.

How we respond to compelled disclosure

Kee Vault may disclose personally-identifying information or other information we collect about you to law enforcement in response to a valid subpoena, court order, warrant, or similar government order, or when we believe in good faith that disclosure is reasonably necessary to protect our property or rights, or those of third parties or the public at large.

In complying with court orders and similar legal processes, Kee Vault strives for transparency. When permitted, we will make a reasonable effort to notify users of any disclosure of their information, unless we are prohibited by law or court order from doing so, or in rare, exigent circumstances.

For the avoidance of doubt, we never have access to your password data, nor your master password that can reveal this data. Compelled disclosure is therefore most likely to relate to Personal Information such as your email address or payment details.

How we, and others, communicate with you

We will use your email address to communicate with you, if you’ve said that’s okay, and only for the reasons you’ve said that’s okay. For example, if you contact our Support team with a request, we will notify you with a response via email.

Kee Vault may occasionally send notification emails about new features, requests for feedback, important policy changes, or to offer customer support. We also send marketing emails, but only with your consent, if you opt in to our list. There’s an unsubscribe link located at the bottom of each of the marketing emails we send you. Please note that you can not opt out of receiving important communications from us, such as mails from our Support team, Billing team or system emails.

Our emails might contain a pixel tag, which is a small, clear image that can tell us whether or not you have opened an email and what your IP address is. We use this pixel tag to make our email more effective for you and to make sure we’re not sending you unwanted email.

Dispute resolution process

In the unlikely event that a dispute arises between you and Kee Vault regarding our handling of your User Personal Information, we will do our best to resolve it - please contact us.

Additionally, if you are a resident of an EU member state, you have the right to file a complaint with your local supervisory authority (at least while the UK is a member of the EU).

Changes to our Privacy Statement

Although most changes are likely to be minor, Kee Vault may change our Privacy Statement from time to time. We will provide notification to Users of material changes to this Privacy Statement through our Website at least 30 days prior to the change taking effect by posting a notice on our home page or sending email to the email address specified in your Kee Vault account.

We will also update our website repository, which tracks all changes to this policy. For changes to this Privacy Statement that do not materially affect your rights, we encourage visitors to check that location frequently.

Your GDPR rights

Kee Vault respects privacy rights under Regulation (EU) 2016 / 679 (GDPR). Information that GDPR requires us to give can be found throughout this privacy statement. So can information about specific rights, like access, rectification, erasure and data portability.

Contacting Kee Vault

If you have questions regarding Kee Vault’s Privacy Statement or information practices, please feel free to contact us.